[TCLUG] VMS (was "local Linux consulting companies")

Tue Oct 19 13:26:27 CDT 2004

Mike Miller wrote:

> On Tue, 19 Oct 2004, Richard Hoffbeck wrote:

> VMS is light years ahead of stock Linux as regards host security. Its 
> object based security model is pretty much the same as the one in 
> NT/2000/XP which works pretty well if developers take the time to do 
> the analysis, but even simple things like access control lists make a 
> big difference and have only recently shown up in Linux.
>
> I don't know the technical details so I won't argue, but this is the 
> first time someone has suggested to me that NT may be superior to 
> Linux in any domain of security.  I am aware of access control lists 
> and we want to use them on Linux.  I agree that it makes a big 
> difference in our working environment and that VMS seems to have an 
> edge there, but it won't last long.  Access control lists are bound to 
> be widely implemented in Linux soon enough and I think they are 
> available in some filesystems already.
>
The Windows security model is actually pretty sophisticated, but MS 
ignores most of it in the name of user/administrator convenience. If I 
remember correctly, the Navy's document on changing security settings 
for a stock NT 4.0 installation to properly secure it ran to 120 pages.  
Once the SE Linux security provider becomes commonplace Windows will 
have to play catch-up.  The point is that for what you have to pay for 
VMS applications software the vendor can afford to document what 
permissions are required for the application to run properly, but still 
be secure.

>
>> The thing to keep in mind about VMS is that it hasn't been updated 
>> significantly since the days when all networks were considered 
>> trusted so its going to be much better against attacks on host 
>> security rather than those coming through the network - actually the 
>> same seems to be true of most of the IT folks around here :-)
>
>
> Sure, but I consider attacks via the network to be much more serious 
> and much more problematic.  On Linux/UNIX systems, I can name a dozen 
> or so times that I, or friends of mine, have been cracked via the net, 
> but not one time when it was an inside job.
>
Again, that's exactly my point. Most IT folks around here are very naive 
about network security so the desirability of using ssh over telnet is 
lost on them. There is an attitude that once you cross the U's border 
firewalls everyone is nice and can be trusted. So they see no problem 
with telnet or ftp.

>> I can certainly understand the cases where there are long-term 
>> projects tied to applications developed against software tightly tied 
>> to VMS - think CCCS or ARIC - where the cost of redeploying the 
>> applications isn't funded.  But only a complete idiot would be doing 
>> new development against VMS. The Alpha chip is toast, there's no 
>> migration/upgrade path, support is going away, software is 
>> expensive/obsolete/proprietary, ... stop me anytime ...  :-)
>
>
> No - keep going!  ;-)
>
> We have long-term projects that may be locked into VMS, but most work 
> can be done on other systems.  We need to move as much work as 
> possible off of VMS.  We can do this gradually, but we must do it.  
> Reducing the burden on the VMS servers will help the projects that are 
> truly locked into VMS.
>
> My choice of OS for our next bunch of servers is Linux.  I think some 
> filesystems are already implementing access control lists, but that is 
> one of the only things I really want that we don't have.  Am I missing 
> anything?  Linux seems very stable and robust now, but I would like to 
> be contradicted on this point if any of you believe that Linux is not 
> so stable and that there are better solutions.

I hope its a good idea. I'm in the process of migrating our 
file/print/authentication services off Windows to a Linux box, and all 
of our database & web apps have been running on Linux for a couple of 
years now. 

But look at it from the IT managers point of view. You've got 100+ 
people set up for user authentication against VMS with no easy way to 
utilize that service from Linux/Solaris/etc. So you can require users to 
have accounts on both the new and old system, or you spring for 
proprietary software to keep passwords in sync or export the 
authentication services - I'm pretty sure there's a 3rd party NFS/NIS 
package available and of course there is always PathWorks (if clear text 
passwords don't bother you) but they both co$t. And then there's the 
training costs to move development over to a new system and the ongoing 
cost of administering two systems during the transition. That generates 
a lot of inertia even if it is a good idea to switch.

Just pray they don't find out about 
http://freshmeat.net/projects/freevms/ :-)

--rick

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
Help beta test TCLUG's potential new home: http://plone.mn-linux.org
Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery
tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list